cwilliambrown
asked on
Can't remove malware: VirusRemover2008
Have managed to get VirusRemover2008 on my PC. Can't find much about it on the net. It issues lots of fake warning in an attempt to get you to buy the product. I can boot into safe mode but system restore will not work? I can get on the net but can't get to some potentially helpful sites (windows update, trend micro housecall). A google search shows a hit with removal instruction on BleepingComputer.com but the link fails. AdAware will not update?? Could this malware be that "intelligent." Any help would be greatly appreciated.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sorry, did not realize that you said the bleepingcomputers-link didn't work for you. It works fine for me.
Also, check out the very detailed instructions by rpggamergirl in this EE thread:
https://www.experts-exchange.com/questions/23704670/How-to-stop-VirusRemover-2008-alert-screen-after-cleaning-VR2008-off-of-machine.html
(Following them, however, may only be necessary if after running MBAM you still experience strange problems that seem to be malware-related.)
Also, check out the very detailed instructions by rpggamergirl in this EE thread:
https://www.experts-exchange.com/questions/23704670/How-to-stop-VirusRemover-2008-alert-screen-after-cleaning-VR2008-off-of-machine.html
(Following them, however, may only be necessary if after running MBAM you still experience strange problems that seem to be malware-related.)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Malware Bytes appears to have fixed it. I can also access Windows Updates and update my other Spyware/Malware applications, as well as run TrendMicro's Housecall again. Do you think VirusRemover2008 was doing all that? It seems to big of a coincidence for it not to have been the cause. On the other hand, if it was, it is also the "cleverest" malware I have run across in a long time!
Please could you post the Mbam log?
Thanks.
Thanks.
ASKER
Sure... please let me know if you think the VirusRemover2008 could have been doing all the things I mentioned!
Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 3
11/1/2008 12:07:52 PM
mbam-log-2008-11-01 (12-07-52).txt
Scan type: Quick Scan
Objects scanned: 63462
Time elapsed: 4 minute(s), 53 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5 00bca15-57 a7-4eaf-81 43-8c61947 0b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml. 1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8 7255c51-cd 7d-4506-b9 ad-97606da f53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\ {9233c3c0- 1472-4091- a505-5580a 23bb4ac} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Code Store Database\Distribution Units\{9522b3fb-7a2b-4646- 8af6-36e7f 593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWAR E\Mozilla\ MSFox (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWAR E\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE \Microsoft \Windows\C urrentVers ion\Run\MS Fox (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\SYSTEM32\msxml7 1.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\delsel f.bat (Malware.Trace) -> Quarantined and deleted successfully.
Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 3
11/1/2008 12:07:52 PM
mbam-log-2008-11-01 (12-07-52).txt
Scan type: Quick Scan
Objects scanned: 63462
Time elapsed: 4 minute(s), 53 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5
HKEY_CLASSES_ROOT\xml.xml.
HKEY_CLASSES_ROOT\CLSID\{8
HKEY_CLASSES_ROOT\Typelib\
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\SYSTEM32\msxml7
C:\WINDOWS\SYSTEM32\delsel
ASKER
Any thoughts as to the possibility that this malware caused all of the things I mentioned before I close the question? Thanks.
Well, I don't think it was the cause of your System Restore not working. There are simply too many occasions where SR fails under normal conditions as well. That's why I generally recommend to disable it and to use EruNT instead.
As to the rest: yes. I do indeed think that it maight have been causing all the other issues you encountered. And it doesn't even have to be especially 'intelligent' for a trojan to alter your hosts file and to monitor/kill running processes. I shoudn't consider this kind of defensive behaviour to be that extraordinary for "successful" malware.
As to the rest: yes. I do indeed think that it maight have been causing all the other issues you encountered. And it doesn't even have to be especially 'intelligent' for a trojan to alter your hosts file and to monitor/kill running processes. I shoudn't consider this kind of defensive behaviour to be that extraordinary for "successful" malware.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I spoke too soon. I attempted a Google search this morning and was redirected to a page trying to get me to buy software. I also received a pop-up "warning" that I had spyware installed and needed to scan/buy....." I was unable to update MBAM but I rescanned and found some of the same entries as before. I cleaned them but I'm worried they will return just as before. I'm going to try cleaning with some other utilities and keep my fingers crossed that I get it all.
You have not yet posted a HijackThis log. Please do.
Also, this may be a good moment to read up on the link I suggested above:
https://www.experts-exchange.com/questions/23704670/How-to-stop-VirusRemover-2008-alert-screen-after-cleaning-VR2008-off-of-machine.html
Also, this may be a good moment to read up on the link I suggested above:
https://www.experts-exchange.com/questions/23704670/How-to-stop-VirusRemover-2008-alert-screen-after-cleaning-VR2008-off-of-machine.html
ASKER
Here is the HiJackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:59:08 PM, on 11/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\Lavasoft\Ad-Aware\aa wservice.e xe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileA gent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev iceService .exe
C:\PROGRA~1\AVG\AVG8\avgwd svc.exe
C:\Program Files\Bonjour\mDNSResponde r.exe
C:\WINDOWS\system32\CTsvcC DA.EXE
C:\WINDOWS\eHome\ehRecvr.e xe
C:\WINDOWS\eHome\ehSched.e xe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\PROGRA~1\Iomega\System3 2\AppServi ces.exe
C:\PROGRA~1\AVG\AVG8\avgrs x.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLB IZ\Binn\sq lservr.exe
C:\Program Files\CDBurnerXP\NMSAccess U.exe
C:\WINDOWS\system32\nvsvc3 2.exe
C:\WINDOWS\System32\snmp.e xe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\Iomega\AutoDisk\ADSe rvice.exe
C:\WINDOWS\System32\spool\ DRIVERS\W3 2X86\3\E_F ATIAIA.EXE
C:\Program Files\Java\jre1.6.0_03\bin \jusched.e xe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\ehome\ehtray.ex e
C:\WINDOWS\system32\dla\tf swctrl.exe
C:\Program Files\Creative\SBAudigy2ZS \Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELP ER.EXE
C:\WINDOWS\eHome\ehmsas.ex e
C:\Program Files\Creative\SBAudigy2ZS \DVDAudio\ CTDVDDET.E XE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Seagate\SystemTray\S txMenuMgr. exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\PROGRA~1\AVG\AVG8\avgtr ay.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\iTunes\iTunesHelper. exe
C:\WINDOWS\system32\dllhos t.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.ex e
C:\Program Files\iPod\bin\iPodService .exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Seagate\AutoBackup\M emeoBackup .exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EX E
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EX E
C:\Program Files\Java\jre1.6.0_03\bin \jucheck.e xe
C:\PROGRA~1\AVG\AVG8\avgsc anx.exe
C:\Documents and Settings\Charles\Local Settings\Temporary Internet Files\Content.IE5\MILTL50T \HiJackThi s[1].exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\In ternet Explorer\SearchURL,(Defaul t) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\In ternet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - (no file)
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C 3BC82746CB 0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D 2AAB95CABE 3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\ DRIVERS\W3 2X86\3\E_F ATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB002" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin \jusched.e xe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl. dll,NvStar tup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.ex e
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tf swctrl.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS \Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS \DVDAudio\ CTDVDDET.E XE"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\S txMenuMgr. exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtr ay.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dump rep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper. exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Charles\Applicati on Data\mjusbsp\cdloader2.exe " MAGICJACK
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaD etector.ex e (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaD etector.ex e (User 'Default user')
O4 - S-1-5-18 Startup: AutoBackup Launcher.lnk = C:\Program Files\Seagate\AutoBackup\M emeoLaunch er.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoBackup Launcher.lnk = C:\Program Files\Seagate\AutoBackup\M emeoLaunch er.exe (User 'Default user')
O4 - Startup: AutoBackup Launcher.lnk = C:\Program Files\Seagate\AutoBackup\M emeoLaunch er.exe
O4 - Global Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.ex e
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH .HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_03\bin \ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_03\bin \ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0 800200c9a6 6} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0 800200c9a6 6} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~4\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-0 0C0F0318AF E} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0 060089874E D} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-3 14DEE697D8 3} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {1552B1CD-8CB7-4776-B6CB-1 6EA461928E 5} (Cpuid Control) - http://www.powerleap.ca/Downloads/upgradefinder.cab
O16 - DPF: {406B5949-7190-4245-91A9-3 0A17DE16AD 0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {49232000-16E4-426C-A231-6 2846947304 B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0 001023E6D5 A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2 074A9DF61F D} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-F BDDE494F8D 1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: karna.dat
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\48 0\G2AWinLo gon.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aa wservice.e xe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc. exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0 ) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileA gent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev iceService .exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwd svc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponde r.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcC DA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc. exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingServ ice.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\48 0\g2aservi ce.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver \1150\Inte l 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System3 2\AppServi ces.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService .exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccess U.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc3 2.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm 12.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVI CE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADSe rvice.exe
O24 - Desktop Component 1: (no name) - http://www.steelers.com/
--
End of file - 11176 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:59:08 PM, on 11/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\svchos
C:\Program Files\Lavasoft\Ad-Aware\aa
C:\WINDOWS\system32\spools
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileA
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
C:\PROGRA~1\AVG\AVG8\avgwd
C:\Program Files\Bonjour\mDNSResponde
C:\WINDOWS\system32\CTsvcC
C:\WINDOWS\eHome\ehRecvr.e
C:\WINDOWS\eHome\ehSched.e
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\PROGRA~1\Iomega\System3
C:\PROGRA~1\AVG\AVG8\avgrs
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLB
C:\Program Files\CDBurnerXP\NMSAccess
C:\WINDOWS\system32\nvsvc3
C:\WINDOWS\System32\snmp.e
C:\WINDOWS\system32\svchos
C:\Program Files\Iomega\AutoDisk\ADSe
C:\WINDOWS\System32\spool\
C:\Program Files\Java\jre1.6.0_03\bin
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\ehome\ehtray.ex
C:\WINDOWS\system32\dla\tf
C:\Program Files\Creative\SBAudigy2ZS
C:\WINDOWS\system32\CTHELP
C:\WINDOWS\eHome\ehmsas.ex
C:\Program Files\Creative\SBAudigy2ZS
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Seagate\SystemTray\S
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\PROGRA~1\AVG\AVG8\avgtr
C:\WINDOWS\system32\ctfmon
C:\Program Files\iTunes\iTunesHelper.
C:\WINDOWS\system32\dllhos
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.ex
C:\Program Files\iPod\bin\iPodService
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Seagate\AutoBackup\M
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EX
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EX
C:\Program Files\Java\jre1.6.0_03\bin
C:\PROGRA~1\AVG\AVG8\avgsc
C:\Documents and Settings\Charles\Local Settings\Temporary Internet Files\Content.IE5\MILTL50T
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.ex
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tf
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\S
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtr
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dump
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Charles\Applicati
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaD
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaD
O4 - S-1-5-18 Startup: AutoBackup Launcher.lnk = C:\Program Files\Seagate\AutoBackup\M
O4 - .DEFAULT Startup: AutoBackup Launcher.lnk = C:\Program Files\Seagate\AutoBackup\M
O4 - Startup: AutoBackup Launcher.lnk = C:\Program Files\Seagate\AutoBackup\M
O4 - Global Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.ex
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-0
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {01113300-3E00-11D2-8470-0
O16 - DPF: {0CCA191D-13A6-4E29-B746-3
O16 - DPF: {1552B1CD-8CB7-4776-B6CB-1
O16 - DPF: {406B5949-7190-4245-91A9-3
O16 - DPF: {49232000-16E4-426C-A231-6
O16 - DPF: {9600F64D-755F-11D4-A47F-0
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-F
O20 - AppInit_DLLs: karna.dat
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\48
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aa
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwd
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponde
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcC
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingServ
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\48
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System3
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccess
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc3
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVI
O24 - Desktop Component 1: (no name) - http://www.steelers.com/
--
End of file - 11176 bytes
The first thing you should do:
Try to reset yours hosts file following the link posted above by phototronic. A hosts file still corrupted by the malware is a plausible cause for internet address resolution not working correctly.
As to your log file: there is still a "karna.dat" on your system. This is considered nasty indeed, and you can try to let HijackThis fix it for you, or search and delete the file yourself in Safe Mode.
But I really don't know whether it can be blamed for the pertinence of your problems, seeing it is a .dat file without an active executable component that makes use of it.
But let's see what others will say.
Try to reset yours hosts file following the link posted above by phototronic. A hosts file still corrupted by the malware is a plausible cause for internet address resolution not working correctly.
As to your log file: there is still a "karna.dat" on your system. This is considered nasty indeed, and you can try to let HijackThis fix it for you, or search and delete the file yourself in Safe Mode.
But I really don't know whether it can be blamed for the pertinence of your problems, seeing it is a .dat file without an active executable component that makes use of it.
But let's see what others will say.
/edit:
must read "phototropic" .... sorry for the typo
must read "phototropic" .... sorry for the typo
Yes, the bad entry is still there that MalwareBytes should have removed.
Try Smitfraudfix or SDFix, these tools also remove it, but you need to run these tools in Safe Mode.
Download SmitfraudFix, and select Option 2. Clean (Safe mode recommended)
http://siri.geekstogo.com/ SmitfraudF ix.php
Or SDFix, (only works in Safe Mode, extract the file and doubleclick on "RunThisBat").
http://downloads.andymanch esta.com/R emovalTool s/SDFix.ex e
How to use SDFix.
http://www.bleepingcompute r.com/foru ms/topic13 1299.html
IF, problem persists, we'll then use Combofix.
Try Smitfraudfix or SDFix, these tools also remove it, but you need to run these tools in Safe Mode.
Download SmitfraudFix, and select Option 2. Clean (Safe mode recommended)
http://siri.geekstogo.com/
Or SDFix, (only works in Safe Mode, extract the file and doubleclick on "RunThisBat").
http://downloads.andymanch
How to use SDFix.
http://www.bleepingcompute
IF, problem persists, we'll then use Combofix.
ASKER
OK, I have updated my hosts file per the above link. I ran SmitFraud in safe mode. Things "appear" to be ok. One thing I noticed, was that somewhere along the way, homepage was changed to www.msn.com and my clock was switched to the 24 hour format. No big deal just curious as to what caused it?? A new HiJackThis log file is attaced.
hijackthis2.log
hijackthis2.log
No more threats, as far as I can see.
Those two things you noticed are most probably reversions to what the cleaning tools consider to be a default state:
- Isn't msn.com the dafault homepage in IE after installing XP? I can't tell for sure, because I don't use IE - never have, never will. But certainly nothing to worry about.
- The clock in 24 hour format? Well, that may simply mean that at least one of those tools was programmed by a continental European like me ;) For us, that's the normal way of telling the time.
Those two things you noticed are most probably reversions to what the cleaning tools consider to be a default state:
- Isn't msn.com the dafault homepage in IE after installing XP? I can't tell for sure, because I don't use IE - never have, never will. But certainly nothing to worry about.
- The clock in 24 hour format? Well, that may simply mean that at least one of those tools was programmed by a continental European like me ;) For us, that's the normal way of telling the time.
ASKER
Thanks everyone. I think my PC is clean now! I'm going to divide the points between all of you because each one gave me a part of the solution. However, I am going to award Torimar more because he was the first to mention SmitFraud.
ASKER
I meant to say Phototropic was the first to mention SmitFraud.
ASKER
Thanks!
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
Have it create a logfile, but not fix anything. Then post the logfile here as an attachment.